Public Key Infrastructure

Trust at Scale
Starts with PKI

Certificates, certificate authorities, and machine identity at the scale AI demands — explained, automated, and operationalized without the legacy pain. Built for machines, workloads, and the AI agents that now need cryptographic identities too.

Learn the Fundamentals
ROOT CA INT CA mTLS Agent Device TLS

The Problem

PKI Running on Tribal Knowledge

Most organizations operate PKI on a combination of institutional memory, spreadsheets, and certificates that expire at 2 a.m. on a Saturday. That was always fragile — now it's untenable.

💥

Expiry-driven outages

Certificates expire on forgotten schedules, taking down production systems at the worst possible moments — and no alert ever fired.

🌫️

Certificate inventory blindness

Nobody can enumerate every certificate in production. Shadow PKI runs in corners of the environment nobody monitors.

📈

Machine identity explosion

Workloads, containers, devices, and now AI agents all demand cryptographic identities. Manual PKI cannot scale to that population.

⚗️

Algorithm lock-in

Post-quantum standards are arriving. Organizations with no crypto-agility face an emergency migration instead of a planned one.

🗒️ Cert inventory in spreadsheetSTALE
↓ manual reminder
⏰ Calendar alert: renew in 3 daysMISSED
↓ human dependency
🤷 Nobody knows who manages this CAUNKNOWN
↓ tribal knowledge failure
🚨 Portal outage at 2:17 AMP0
↓ 6-hour incident
📋 Post-mortem: "add to spreadsheet"AGAIN

The Solution

From Certificate Chaos to Cryptographic Order

pki.ms covers the complete discipline of modern PKI — from CA hierarchy design to AI agent identity — with an emphasis on operational PKI that runs reliably, not PKI that lives in a binder.

📚

PKI Fundamentals, Demystified

Keys, certificates, CAs, intermediates, revocation, and chains of trust — explained precisely enough for practitioners and clearly enough for newcomers.

🏗️

CA Hierarchy Design

Root and intermediate CA structures that balance security, operational flexibility, and blast-radius containment — including offline root best practices.

♻️

Lifecycle Automation

Discover every certificate, automate issuance and renewal via ACME, and alert on everything that can't yet be automated. Expiry outages become a historical artifact.

⚙️

Machine & Workload Identity

Short-lived certificates for services, containers, and devices at scale — mutual TLS done right, with identities that rotate faster than attackers can exploit them.

🤖

Certificates for AI Agents

Per-agent certificates, attestation of agent provenance, and signing of agent actions — so autonomy never means anonymity, and every agent action is attributable.

🔮

Crypto-Agility & Post-Quantum

Inventory your algorithms, plan migration paths, and build the agility to swap cryptography as standards evolve — including the post-quantum transition on the horizon.

Deep Capabilities

Every Layer of Modern PKI

Public & Private KeysAsymmetric cryptography explained from first principles — how keys are generated, protected, and used for encryption and signing.
X.509 CertificatesWhat a certificate contains, how it binds a public key to an identity, and why trust ultimately traces back to a root CA.
Certificate Authorities & ChainsHow root and intermediate CAs build a chain of trust — and what happens when any link in that chain is compromised.
Revocation MechanismsCRL, OCSP, and OCSP stapling — the tradeoffs of each approach and how revocation works (and fails) in practice.
TLS Handshake Deep DiveStep-by-step walkthrough of how TLS uses certificates to establish authenticated, encrypted channels.
// X.509 Certificate Structure
Certificate {
  Subject: "api.internal",
  Issuer: "Intermediate CA",
  KeyAlgo: "ECDSA P-256",
  NotBefore: "2026-01-01",
  NotAfter: "2026-01-02",
  // 24-hour lifetime
  SANs: ["api.internal"],
  Signature: "[ECDSA sig]"
}
// Trust chain verified ✓
Offline Root CA DesignThe root CA should never be online. Guidance for air-gapped roots, ceremony procedures, and hardware security modules.
Intermediate CA TiersStructuring intermediate CAs by environment, purpose, or geography to contain blast radius and enable independent revocation.
Trust Boundary PlanningDeciding what gets a certificate from which CA, and how to keep trust domains from collapsing into one another under pressure.
Compromise Recovery PlanningRehearsed playbooks for intermediate and root CA compromise — knowing what you'd do before you need to do it.
Audit ReadinessCertificate policies, Certificate Practice Statements, and the documentation auditors expect to find when they come looking.
// Recommended CA Hierarchy

Root CA (offline)
  └─ Issuing CA: Services
     └─ cert: api.internal
     └─ cert: grpc.internal
  └─ Issuing CA: Devices
     └─ cert: laptop-42
  └─ Issuing CA: Agents
     └─ cert: agent-gpt-7a2f

// Blast radius: contained ✓
Full Estate DiscoveryEnumerate every certificate in your environment — including the forgotten ones on legacy systems that nobody can name but everyone depends on.
ACME Protocol IntegrationAutomate issuance and renewal via ACME — the same protocol that powers Let's Encrypt, applied to your internal PKI.
Short-Lifetime EnforcementCertificates measured in hours or days instead of years — automation makes this practical, and it turns key compromise from crisis to inconvenience.
Expiry AlertingTiered alerts on everything that isn't yet automated, so nothing expires silently at 2 a.m. on a Saturday ever again.
Pipeline IntegrationCertificate issuance embedded in CI/CD, container orchestration, and infrastructure-as-code — identity provisioned at deployment time.
// ACME auto-renewal pipeline
on: cert.expiry_warning(days=14)

steps:
  - acme.order(domain)
  - challenge.complete()
  - cert.install(target)
  - service.reload()
  - alert.clear()

// Lifetime: 24h · Auto-renews ✓
// Next expiry: never a surprise
Workload Identity at ScaleEvery service, container, and pod gets a certificate — issued at startup, valid for hours, rotated automatically throughout its lifecycle.
Mutual TLS Between ServicesmTLS gives each service a verifiable identity so east-west traffic is authenticated and encrypted by default — the backbone of zero trust networking.
Device Certificate PatternsIssuing and managing certificates for endpoints, IoT devices, and infrastructure hardware — at scale, without manual intervention.
SPIFFE / SPIRE IntegrationStandards-based workload identity using SPIFFE IDs and SPIRE for automatic attestation and certificate delivery.
Short-Lived Credential PatternsIdentities that rotate faster than attackers can exploit them — key compromise becomes a non-event when lifetimes are measured in hours.
// mTLS workload bootstrap
workload api-gateway {
  spiffe_id: "spiffe://prod/api",
  cert_ttl: "4h",
  auto_rotate: true,
  mtls: required,
  trust_domain: "prod"
}

// Identity: verified ✓
// Traffic: encrypted + authn ✓
Per-Agent CertificatesEvery AI agent instance gets its own certificate — not a shared credential. Identity is individual, attributable, and rotatable.
Agent Provenance AttestationCryptographic proof of which model, version, and configuration produced an agent — so provenance is verifiable, not just claimed.
Action SigningAgent outputs and actions are signed with the agent's private key, making every decision attributable and impersonation immediately detectable.
mTLS for Agent-to-Service AuthAgents authenticate with mutual TLS rather than static API keys — rotating credentials that don't live in environment variables.
Autonomy Without AnonymityAs agents act on the organization's behalf, every action traces back to a cryptographic identity — building the accountability layer the AI era requires.
// AI Agent Identity Pattern
agent research-agent-7a2f {
  cert_cn: "agent-7a2f.agents",
  model: "claude-3-7",
  ttl: "1h",
  sign_outputs: true
}

action.result {
  signed_by: "agent-7a2f",
  verifiable: true
}
// Autonomy ≠ Anonymity ✓

How It Works

Four Steps from Chaos to Control

A repeatable operational journey — from not knowing what you have to running PKI that scales to the AI era without human intervention.

01

Discover

Inventory every certificate and key in your environment — including the forgotten ones quietly doing critical work on legacy systems that nobody documents. You cannot manage what you cannot see.

02

Design

Establish or refine your CA hierarchy and certificate policies, with trust boundaries that contain compromise instead of amplifying it. Offline roots, intermediate tiers, compromise recovery — designed before you need it.

03

Automate

Move issuance, renewal, and revocation to automated pipelines using ACME and similar protocols. Eliminate the human-memory failure mode entirely — certificates renew themselves, every time, without a calendar reminder.

04

Extend

Issue cryptographic identities to the full machine population — services, containers, devices, and AI agents — with certificate lifetimes measured in hours. Trust scales; the attack surface doesn't.

Use Cases

PKI That Actually Does Work

01

Eliminating Expiry Outages

Automated discovery and renewal means the certificate that used to take down the customer portal at midnight now rotates itself weeks before expiry — silently, reliably, every time.

02

Mutual TLS Between Services

Short-lived workload certificates give every microservice a verifiable identity, so east-west service traffic is authenticated and encrypted by default — the backbone of zero trust architecture.

03

Signing AI Agent Actions

Each agent holds its own certificate; its outputs are signed, making provenance verifiable and impersonation immediately detectable — critical as AI agents act autonomously on the organization's behalf.

Who It's For

Built for Everyone Responsible for Trust

🔧

Security Engineers

Inherited a PKI nobody fully documented? Get the operational guidance to clean it up, automate it, and make it auditable.

☁️

Platform & DevOps Teams

Scaling certificates across clouds and clusters? Patterns for automated issuance that fits into your CI/CD and infrastructure-as-code workflows.

🏛️

Architects

Extending machine identity to AI agents and autonomous systems? The design patterns for extending certificate-based trust to the newest identity population.

📊

Security Leaders

Planning crypto-agility and the post-quantum migration? The strategic framework to build algorithm flexibility before the migration becomes mandatory.

Manual vs Modern PKI

The Cost of Standing Still

Dimension Manual / Legacy PKI Modern Automated PKI
Certificate inventory Spreadsheet, always outdated Continuous discovery, always current
Renewal process Calendar reminder, often missed Automated via ACME, zero human touch
Certificate lifetime 1–2 years, rarely rotated Hours to days, auto-rotated always
Expiry outages Inevitable, unpredictable Eliminated by automated renewal
Machine identity scale Manual — doesn't scale to containers Unlimited — scales to AI agents
Post-quantum readiness Unknown algorithm inventory Inventoried, agility built in
Compromise recovery No rehearsed playbook Documented, tested, ready to run

Security & Future-Readiness

Building Crypto-Agile Infrastructure

The cryptographic landscape is shifting. Post-quantum algorithms are standardized. Organizations that build algorithm agility now run an operation; those that wait run an emergency.

🔑

Algorithm Inventory

Know every algorithm in use across your certificate estate — RSA key sizes, ECDSA curves, hash functions — before the migration window arrives.

🔄

Crypto-Agility Design

Architect systems to swap cryptographic primitives without application changes — abstract the algorithm layer so migration is operational, not architectural.

⚛️

Post-Quantum Migration Path

NIST post-quantum standards are finalized. The migration will take years — starting the inventory now means the eventual swap is planned, not panicked.

🛡️

Offline Root Protection

Air-gapped root CAs with hardware security modules — the root of your trust hierarchy protected against both external attack and insider threat.

📋

Audit & Compliance Readiness

Certificate policies, CPS documentation, and the evidence trail auditors need — built into operations from the start rather than assembled before each audit.

🚨

Compromise Recovery Planning

Rehearsed incident playbooks for intermediate and root CA compromise — so the question is never "what do we do now?" but "run the playbook."

FAQ

Common Questions

Our PKI 'works' — why modernize?
+
Working today and surviving tomorrow are different things. If renewal depends on a calendar reminder, if nobody can enumerate every certificate in production, or if a CA compromise has no rehearsed recovery plan — the PKI works until the day it very much doesn't. Modern PKI removes each of those failure modes before they become incidents.
How short should certificate lifetimes be?
+
As short as your automation allows. Public TLS maximum lifetimes keep shrinking — 47 days is the current trajectory. Internal workload certificates increasingly live for hours or days. Short lifetimes turn key compromise from a crisis into an inconvenience, but they're only practical when renewal is fully automated — manual renewal at 24-hour lifetimes is impossible.
Why would an AI agent need a certificate?
+
For the same reason a server does: verifiable identity. A certificate lets an agent authenticate with mutual TLS, sign its actions, and prove its provenance — turning an anonymous autonomous process into an accountable actor. As agents act on the organization's behalf at scale, anonymity becomes an unacceptable risk.
Is post-quantum preparation really urgent right now?
+
The migration will take years, and data harvested today can be decrypted later when quantum computers are capable. Urgency doesn't mean panic — it means starting the algorithm inventory and agility work now so the eventual algorithm swap is a planned operation, not an emergency response to an expired deadline.
What's the difference between ACME and manual certificate management?
+
ACME is a protocol that automates the challenge-response process of certificate issuance and renewal. With ACME, certificates renew themselves before expiry without any human action — no email reminders, no calendar entries, no 2 a.m. emergency rotations. It's what powers Let's Encrypt and can be applied to your internal PKI using the same protocol.
The Trust Layer of the AI Era

Certificates Without
the Chaos.

Every secure connection, signed action, and authenticated machine traces back to PKI. Modern certificate lifecycle management — automated, observable, and ready for AI scale.

Start the Inventory